[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

A problem with Packages? Or is it not?


Let us assume the following scenario:

1/ Mr X has hacked the main ftp with debs.
2/ He puts his malicious version of some deb into the pool. He just adds
it in the directory, nothing gets deleted.
3/ Mr X changes proper line in Packages. It is not signed, so the change
remains unknown. Now Packages point to the malicious version of package.
4/ I do 'apt-get update'. Apt download changed Packages file. 
5/ Apt upgrades the package with Mr X's version.
6/ Bad things happen.

Is this possible?
In  theory,  both  .dsc and .changes are signed with maintainer key, but
.dsc describes only source files (orig + diff) and .changes does not se­
em  to  be  present  in  pool (I think it gets integrated into Packages,
which can be changed by Mr X without problems). Have I described a  real
threat, or there's something I do not know?

I'd appreciate CCs to me, as I do not read this list.


   __    __.--------------------------http://yacoob.dnsalias.net/cv.html---.__
  (oo)  |    Alka SeltzBorg:  I can't believe I assimilated the WHOOOOLE      |
 / \/ \ |                               thing!!                               |
 `V__V' `--.__penguin_#128720______________________________________________.--'

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: